[BUG] failed to handle eip add on CentOS 7

[jcshare]

Kube-OVN Version

v.1.12.17 and master

Kubernetes Version

v1.27.15

Operation-system/Kernel Version

Linux c7-test-master 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Description

vim kube-ovn-controller-5bdd6965f8-m8ghz.log

...
I0805 07:12:37.443897       7 vpc_nat_gw_eip.go:208] handle add iptables eip eip-vpc2
I0805 07:12:37.443937       7 ipam.go:60] allocate v4 192.168.1.23, v6 , mac 8e:d2:45:53:b8:f1 for eip-vpc2 from subnet ovn-vpc-external-network
I0805 07:12:37.443990       7 vpc_nat_gateway.go:709] bash /kube-ovn/nat-gateway.sh eip-add 192.168.1.23/24,192.168.1.1
I0805 07:12:37.635159       7 vpc_nat_gateway.go:723] ExecuteCommandInContainer stdOutput: ext-subnet-route-add 192.168.1.0/24,192.168.1.1
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
-A SNAT_FILTER -j SHARED_SNAT
default via 192.168.1.1 dev net1
E0805 07:12:37.635196       7 vpc_nat_gateway.go:727] failed to ExecuteCommandInContainer errOutput: # Warning: iptables-legacy tables present, use iptables-legacy-save to see them
E0805 07:12:37.635235       7 vpc_nat_gateway.go:620] failed to exec nat gateway rule, err: # Warning: iptables-legacy tables present, use iptables-legacy-save to see them
E0805 07:12:37.635258       7 vpc_nat_gateway.go:189] process: updateVpcSubnet. err: error syncing 'gw-vpc1': failed to exec nat gateway rule, err: # Warning: iptables-legacy tables present, use iptables-legacy-save to see them, requeuing
....

Steps To Reproduce

1. prepare vpc.yaml and create it via " kubectl apply -f " vpc.yaml"
   $ cat vpc.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ns1-vpc2
---
kind: Vpc
apiVersion: kubeovn.io/v1
metadata:
  name: vpc2
spec:
  staticRoutes:
    - cidr: 0.0.0.0/0
      nextHopIP: 10.0.11.254
      policy: policyDst
  namespaces:
  - ns1-vpc2
---
kind: Subnet
apiVersion: kubeovn.io/v1
metadata:
  name: net1-vpc2
spec:
  vpc: vpc2
  cidrBlock: 10.0.11.0/24
  protocol: IPv4
  excludeIps:
  - 10.0.11.254
  namespaces:
    - ns1-vpc2
---
kind: VpcNatGateway
apiVersion: kubeovn.io/v1
metadata:
  name: gw-vpc2
spec:
  vpc: vpc2
  subnet: net1-vpc2
  lanIp: 10.0.11.254
  selector:
    - 'kubenetes/os: linux'
  externalSubnets:
    - ovn-vpc-external-network

2. prepare eip.yaml and create it via "kubectl apply -f eip.yaml"
   $ cat eip.yaml
   kind: IptablesEIP
   apiVersion: kubeovn.io/v1
   metadata:
   name: eip-vpc2
   spec:
   natGwDp: gw-vpc2
   externalSubnet: ovn-vpc-external-network

3. check the EIP and found out it cannot be configured correctly

$ kubectl get eip
NAME       IP    MAC   NAT   NATGWDP   READY
eip-vpc2                     gw-vpc2

Current Behavior

the EIP can NOT be configured correctly on CentOS

Expected Behavior

the EIP can be configured correctly on CentOS

[zhangzujian]

Maybe we need to add the iptables-wrapper script into vpc-nat-gateway image.

[jcshare]

Maybe we need to add the iptables-wrapper script into vpc-nat-gateway image.

yes, we saw there are some duplicated Iptables rules which need to be resolved

[zhangzujian]

I have no idea about why it failed.

@bobz965 Could you please take a look?

[bobz965]

@jcshare could you please run bash -x /kube-ovn/nat-gateway.sh eip-add 192.168.1.23/24,192.168.1.1 to see the error details ?

[jcshare]

@jcshare could you please run bash -x /kube-ovn/nat-gateway.sh eip-add 192.168.1.23/24,192.168.1.1 to see the error details ?

already tried and it complains the same error details.
per my debugging, it looks like due to the CentOS 7 itself, it might have some problem to support iptables
I didn't hit the same problem on CentOS 8

thanks

[bobz965]

@jcshare @zhangzujian how about closing this issue? centos7 seems not need to support.

[jcshare]

@jcshare @zhangzujian how about closing this issue? centos7 seems not need to support.
it's OK to me, please help update the doc below:

https://kubeovn.github.io/docs/v1.12.x/start/prepare/
....
软件版本¶
Kubernetes >= 1.23。
Docker >= 1.12.6, Containerd >= 1.3.4。
操作系统: CentOS 7/8,。 <<<<<<< here

thanks

[reski-rukmantiyo]

Hi All,

I also having this problem in Ubuntu. Maybe the difference is that I'm using bond interface (layer 2) to my switch.
May it caused the problem?

E0816 19:47:14.581563       7 vpc_nat_gateway.go:727] failed to ExecuteCommandInContainer errOutput: # Warning: iptables-legacy tables present, use iptables-legacy-save to see them
E0816 19:47:14.581577       7 vpc_nat_gw_eip.go:247] failed to create eip 'eip-vpc-1' in pod, # Warning: iptables-legacy tables present, use iptables-legacy-save to see them
E0816 19:47:14.581617       7 vpc_nat_gw_eip.go:110] error syncing 'eip-vpc-1': # Warning: iptables-legacy tables present, use iptables-legacy-save to see them, requeuing
I0816 19:47:15.581853       7 vpc_nat_gw_eip.go:208] handle add iptables eip eip-vpc-1
I0816 19:47:15.581933       7 ipam.go:60] allocate v4 10.254.127.202, v6 , mac fa:07:23:69:50:12 for eip-vpc-1 from subnet ovn-vpc-external-network
I0816 19:47:15.582097       7 vpc_nat_gateway.go:709] bash /kube-ovn/nat-gateway.sh eip-add 10.254.127.202/24,10.254.127.1
I0816 19:47:18.678485       7 vpc_nat_gateway.go:723] ExecuteCommandInContainer stdOutput: eip-add 10.254.127.202/24,10.254.127.1
-A SNAT_FILTER -j SHARED_SNAT
default via 10.254.127.1 dev net1
ARPING 10.254.127.202 from 0.0.0.0 net1
Sent 3 probes (3 broadcast(s))
Received 0 response(s)

So strange...i even check one by one bash script inside vpc-nat-gateway (nat-gateway.sh) for this.

[bobz965]

@reski-rukmantiyo could you please show bash /kube-ovn/nat-gateway.sh eip-add 10.254.127.202/24,10.254.127.1 ?